Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 10:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6ad36da52cffaa06ea3c68f0cbc97bfe15383b1984ac77f96d7d6f7cc4933f1e.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6ad36da52cffaa06ea3c68f0cbc97bfe15383b1984ac77f96d7d6f7cc4933f1e.exe
-
Size
454KB
-
MD5
9574dddf9dd091d6145be04fb9c0be2b
-
SHA1
a8e528988ff0a346f0a850f942d486da29ecf670
-
SHA256
6ad36da52cffaa06ea3c68f0cbc97bfe15383b1984ac77f96d7d6f7cc4933f1e
-
SHA512
0430d267cc1dfacef4507b6c00358c7a58da3006cfadbfc1dfc9294901cfa600117ffabeabe7c8e43251accec0aa9d94b82b46685529d9d2419cb63b509eabeb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeF:q7Tc2NYHUrAwfMp3CDF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/404-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/792-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-692-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-997-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-1084-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-1125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-1162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5116 jjvvd.exe 1484 thtttt.exe 2492 dvjpv.exe 2680 nnbtnn.exe 1428 1lrlxxf.exe 4540 ttnhhh.exe 1532 llrrlrr.exe 4080 bbbbtt.exe 1304 3xrrrxx.exe 1656 jppjd.exe 1380 lxfffrr.exe 2960 bhhbtb.exe 636 hnnnhn.exe 2964 hnbtnh.exe 1028 lllfxxl.exe 2304 hhhhhb.exe 2028 ddjjd.exe 2984 xxllfxl.exe 4552 9lfrlrl.exe 4988 nnnhhh.exe 4884 9hhbtn.exe 1852 1dvpd.exe 3664 bnbhbb.exe 1316 flrrrrr.exe 3032 9btbtb.exe 1920 vvvvp.exe 264 1btnnt.exe 3960 rxfxrrr.exe 4168 nhbtnn.exe 4088 pvjdv.exe 1572 nbnhbb.exe 5020 vdjdj.exe 3580 3nttnn.exe 2496 jjvvv.exe 792 7lffxfx.exe 2456 bthhhh.exe 1208 7dpvd.exe 3296 xxfxfll.exe 1632 7xfxxfx.exe 4404 thhhnt.exe 2768 dvvvv.exe 4112 5lxrxxr.exe 3460 nthbbt.exe 4960 7pjdp.exe 4720 xxrlrxl.exe 400 bbnbhn.exe 4976 1vvjd.exe 4676 fffxrlf.exe 924 7hhbnn.exe 3792 pjjdd.exe 904 pvjpp.exe 4356 xlrlflf.exe 3440 bthbnn.exe 4992 jjjdp.exe 4424 3rrfxrl.exe 4588 tbbbtt.exe 1324 jjjjj.exe 1960 xxrfxrf.exe 1092 rlrlfff.exe 3948 hhtnbn.exe 3236 thnnhb.exe 2672 3pjdv.exe 4576 rxflfrr.exe 4248 ttbthh.exe -
resource yara_rule behavioral2/memory/404-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/792-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-759-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-895-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-997-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 404 wrote to memory of 5116 404 6ad36da52cffaa06ea3c68f0cbc97bfe15383b1984ac77f96d7d6f7cc4933f1e.exe 82 PID 404 wrote to memory of 5116 404 6ad36da52cffaa06ea3c68f0cbc97bfe15383b1984ac77f96d7d6f7cc4933f1e.exe 82 PID 404 wrote to memory of 5116 404 6ad36da52cffaa06ea3c68f0cbc97bfe15383b1984ac77f96d7d6f7cc4933f1e.exe 82 PID 5116 wrote to memory of 1484 5116 jjvvd.exe 83 PID 5116 wrote to memory of 1484 5116 jjvvd.exe 83 PID 5116 wrote to memory of 1484 5116 jjvvd.exe 83 PID 1484 wrote to memory of 2492 1484 thtttt.exe 84 PID 1484 wrote to memory of 2492 1484 thtttt.exe 84 PID 1484 wrote to memory of 2492 1484 thtttt.exe 84 PID 2492 wrote to memory of 2680 2492 dvjpv.exe 85 PID 2492 wrote to memory of 2680 2492 dvjpv.exe 85 PID 2492 wrote to memory of 2680 2492 dvjpv.exe 85 PID 2680 wrote to memory of 1428 2680 nnbtnn.exe 86 PID 2680 wrote to memory of 1428 2680 nnbtnn.exe 86 PID 2680 wrote to memory of 1428 2680 nnbtnn.exe 86 PID 1428 wrote to memory of 4540 1428 1lrlxxf.exe 87 PID 1428 wrote to memory of 4540 1428 1lrlxxf.exe 87 PID 1428 wrote to memory of 4540 1428 1lrlxxf.exe 87 PID 4540 wrote to memory of 1532 4540 ttnhhh.exe 88 PID 4540 wrote to memory of 1532 4540 ttnhhh.exe 88 PID 4540 wrote to memory of 1532 4540 ttnhhh.exe 88 PID 1532 wrote to memory of 4080 1532 llrrlrr.exe 89 PID 1532 wrote to memory of 4080 1532 llrrlrr.exe 89 PID 1532 wrote to memory of 4080 1532 llrrlrr.exe 89 PID 4080 wrote to memory of 1304 4080 bbbbtt.exe 90 PID 4080 wrote to memory of 1304 4080 bbbbtt.exe 90 PID 4080 wrote to memory of 1304 4080 bbbbtt.exe 90 PID 1304 wrote to memory of 1656 1304 3xrrrxx.exe 91 PID 1304 wrote to memory of 1656 1304 3xrrrxx.exe 91 PID 1304 wrote to memory of 1656 1304 3xrrrxx.exe 91 PID 1656 wrote to memory of 1380 1656 jppjd.exe 92 PID 1656 wrote to memory of 1380 1656 jppjd.exe 92 PID 1656 wrote to memory of 1380 1656 jppjd.exe 92 PID 1380 wrote to memory of 2960 1380 lxfffrr.exe 93 PID 1380 wrote to memory of 2960 1380 lxfffrr.exe 93 PID 1380 wrote to memory of 2960 1380 lxfffrr.exe 93 PID 2960 wrote to memory of 636 2960 bhhbtb.exe 94 PID 2960 wrote to memory of 636 2960 bhhbtb.exe 94 PID 2960 wrote to memory of 636 2960 bhhbtb.exe 94 PID 636 wrote to memory of 2964 636 hnnnhn.exe 95 PID 636 wrote to memory of 2964 636 hnnnhn.exe 95 PID 636 wrote to memory of 2964 636 hnnnhn.exe 95 PID 2964 wrote to memory of 1028 2964 hnbtnh.exe 96 PID 2964 wrote to memory of 1028 2964 hnbtnh.exe 96 PID 2964 wrote to memory of 1028 2964 hnbtnh.exe 96 PID 1028 wrote to memory of 2304 1028 lllfxxl.exe 97 PID 1028 wrote to memory of 2304 1028 lllfxxl.exe 97 PID 1028 wrote to memory of 2304 1028 lllfxxl.exe 97 PID 2304 wrote to memory of 2028 2304 hhhhhb.exe 98 PID 2304 wrote to memory of 2028 2304 hhhhhb.exe 98 PID 2304 wrote to memory of 2028 2304 hhhhhb.exe 98 PID 2028 wrote to memory of 2984 2028 ddjjd.exe 99 PID 2028 wrote to memory of 2984 2028 ddjjd.exe 99 PID 2028 wrote to memory of 2984 2028 ddjjd.exe 99 PID 2984 wrote to memory of 4552 2984 xxllfxl.exe 100 PID 2984 wrote to memory of 4552 2984 xxllfxl.exe 100 PID 2984 wrote to memory of 4552 2984 xxllfxl.exe 100 PID 4552 wrote to memory of 4988 4552 9lfrlrl.exe 101 PID 4552 wrote to memory of 4988 4552 9lfrlrl.exe 101 PID 4552 wrote to memory of 4988 4552 9lfrlrl.exe 101 PID 4988 wrote to memory of 4884 4988 nnnhhh.exe 102 PID 4988 wrote to memory of 4884 4988 nnnhhh.exe 102 PID 4988 wrote to memory of 4884 4988 nnnhhh.exe 102 PID 4884 wrote to memory of 1852 4884 9hhbtn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ad36da52cffaa06ea3c68f0cbc97bfe15383b1984ac77f96d7d6f7cc4933f1e.exe"C:\Users\Admin\AppData\Local\Temp\6ad36da52cffaa06ea3c68f0cbc97bfe15383b1984ac77f96d7d6f7cc4933f1e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\jjvvd.exec:\jjvvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\thtttt.exec:\thtttt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\dvjpv.exec:\dvjpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\nnbtnn.exec:\nnbtnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\1lrlxxf.exec:\1lrlxxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\ttnhhh.exec:\ttnhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\llrrlrr.exec:\llrrlrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\bbbbtt.exec:\bbbbtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\3xrrrxx.exec:\3xrrrxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\jppjd.exec:\jppjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\lxfffrr.exec:\lxfffrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\bhhbtb.exec:\bhhbtb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\hnnnhn.exec:\hnnnhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\hnbtnh.exec:\hnbtnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\lllfxxl.exec:\lllfxxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\hhhhhb.exec:\hhhhhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\ddjjd.exec:\ddjjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\xxllfxl.exec:\xxllfxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\9lfrlrl.exec:\9lfrlrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\nnnhhh.exec:\nnnhhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\9hhbtn.exec:\9hhbtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\1dvpd.exec:\1dvpd.exe23⤵
- Executes dropped EXE
PID:1852 -
\??\c:\bnbhbb.exec:\bnbhbb.exe24⤵
- Executes dropped EXE
PID:3664 -
\??\c:\flrrrrr.exec:\flrrrrr.exe25⤵
- Executes dropped EXE
PID:1316 -
\??\c:\9btbtb.exec:\9btbtb.exe26⤵
- Executes dropped EXE
PID:3032 -
\??\c:\vvvvp.exec:\vvvvp.exe27⤵
- Executes dropped EXE
PID:1920 -
\??\c:\1btnnt.exec:\1btnnt.exe28⤵
- Executes dropped EXE
PID:264 -
\??\c:\rxfxrrr.exec:\rxfxrrr.exe29⤵
- Executes dropped EXE
PID:3960 -
\??\c:\nhbtnn.exec:\nhbtnn.exe30⤵
- Executes dropped EXE
PID:4168 -
\??\c:\pvjdv.exec:\pvjdv.exe31⤵
- Executes dropped EXE
PID:4088 -
\??\c:\nbnhbb.exec:\nbnhbb.exe32⤵
- Executes dropped EXE
PID:1572 -
\??\c:\vdjdj.exec:\vdjdj.exe33⤵
- Executes dropped EXE
PID:5020 -
\??\c:\3nttnn.exec:\3nttnn.exe34⤵
- Executes dropped EXE
PID:3580 -
\??\c:\jjvvv.exec:\jjvvv.exe35⤵
- Executes dropped EXE
PID:2496 -
\??\c:\7lffxfx.exec:\7lffxfx.exe36⤵
- Executes dropped EXE
PID:792 -
\??\c:\bthhhh.exec:\bthhhh.exe37⤵
- Executes dropped EXE
PID:2456 -
\??\c:\7dpvd.exec:\7dpvd.exe38⤵
- Executes dropped EXE
PID:1208 -
\??\c:\xxfxfll.exec:\xxfxfll.exe39⤵
- Executes dropped EXE
PID:3296 -
\??\c:\7xfxxfx.exec:\7xfxxfx.exe40⤵
- Executes dropped EXE
PID:1632 -
\??\c:\thhhnt.exec:\thhhnt.exe41⤵
- Executes dropped EXE
PID:4404 -
\??\c:\dvvvv.exec:\dvvvv.exe42⤵
- Executes dropped EXE
PID:2768 -
\??\c:\5lxrxxr.exec:\5lxrxxr.exe43⤵
- Executes dropped EXE
PID:4112 -
\??\c:\nthbbt.exec:\nthbbt.exe44⤵
- Executes dropped EXE
PID:3460 -
\??\c:\7pjdp.exec:\7pjdp.exe45⤵
- Executes dropped EXE
PID:4960 -
\??\c:\xxrlrxl.exec:\xxrlrxl.exe46⤵
- Executes dropped EXE
PID:4720 -
\??\c:\bbnbhn.exec:\bbnbhn.exe47⤵
- Executes dropped EXE
PID:400 -
\??\c:\1vvjd.exec:\1vvjd.exe48⤵
- Executes dropped EXE
PID:4976 -
\??\c:\fffxrlf.exec:\fffxrlf.exe49⤵
- Executes dropped EXE
PID:4676 -
\??\c:\7hhbnn.exec:\7hhbnn.exe50⤵
- Executes dropped EXE
PID:924 -
\??\c:\pjjdd.exec:\pjjdd.exe51⤵
- Executes dropped EXE
PID:3792 -
\??\c:\pvjpp.exec:\pvjpp.exe52⤵
- Executes dropped EXE
PID:904 -
\??\c:\xlrlflf.exec:\xlrlflf.exe53⤵
- Executes dropped EXE
PID:4356 -
\??\c:\bthbnn.exec:\bthbnn.exe54⤵
- Executes dropped EXE
PID:3440 -
\??\c:\jjjdp.exec:\jjjdp.exe55⤵
- Executes dropped EXE
PID:4992 -
\??\c:\3rrfxrl.exec:\3rrfxrl.exe56⤵
- Executes dropped EXE
PID:4424 -
\??\c:\tbbbtt.exec:\tbbbtt.exe57⤵
- Executes dropped EXE
PID:4588 -
\??\c:\jjjjj.exec:\jjjjj.exe58⤵
- Executes dropped EXE
PID:1324 -
\??\c:\xxrfxrf.exec:\xxrfxrf.exe59⤵
- Executes dropped EXE
PID:1960 -
\??\c:\rlrlfff.exec:\rlrlfff.exe60⤵
- Executes dropped EXE
PID:1092 -
\??\c:\hhtnbn.exec:\hhtnbn.exe61⤵
- Executes dropped EXE
PID:3948 -
\??\c:\thnnhb.exec:\thnnhb.exe62⤵
- Executes dropped EXE
PID:3236 -
\??\c:\3pjdv.exec:\3pjdv.exe63⤵
- Executes dropped EXE
PID:2672 -
\??\c:\rxflfrr.exec:\rxflfrr.exe64⤵
- Executes dropped EXE
PID:4576 -
\??\c:\ttbthh.exec:\ttbthh.exe65⤵
- Executes dropped EXE
PID:4248 -
\??\c:\pjjjd.exec:\pjjjd.exe66⤵PID:4080
-
\??\c:\lrfxxrr.exec:\lrfxxrr.exe67⤵PID:3412
-
\??\c:\ppdpv.exec:\ppdpv.exe68⤵PID:3676
-
\??\c:\xfxxrrr.exec:\xfxxrrr.exe69⤵PID:3488
-
\??\c:\5hhbtt.exec:\5hhbtt.exe70⤵PID:2008
-
\??\c:\htbhhb.exec:\htbhhb.exe71⤵PID:1844
-
\??\c:\jdjdv.exec:\jdjdv.exe72⤵PID:4180
-
\??\c:\3rrflfr.exec:\3rrflfr.exe73⤵
- System Location Discovery: System Language Discovery
PID:3944 -
\??\c:\thtnhh.exec:\thtnhh.exe74⤵PID:5040
-
\??\c:\vjvvd.exec:\vjvvd.exe75⤵PID:3364
-
\??\c:\lrxrlff.exec:\lrxrlff.exe76⤵PID:2104
-
\??\c:\7nbnbt.exec:\7nbnbt.exe77⤵PID:3972
-
\??\c:\1pdvp.exec:\1pdvp.exe78⤵PID:2164
-
\??\c:\fxfrlxx.exec:\fxfrlxx.exe79⤵PID:2784
-
\??\c:\xxlfrrl.exec:\xxlfrrl.exe80⤵PID:1496
-
\??\c:\1nnhtt.exec:\1nnhtt.exe81⤵PID:2792
-
\??\c:\9pjpv.exec:\9pjpv.exe82⤵PID:4944
-
\??\c:\rffrlfr.exec:\rffrlfr.exe83⤵PID:4740
-
\??\c:\nttttb.exec:\nttttb.exe84⤵PID:3016
-
\??\c:\vvpjd.exec:\vvpjd.exe85⤵PID:3060
-
\??\c:\ddpjd.exec:\ddpjd.exe86⤵PID:2136
-
\??\c:\1xxrlff.exec:\1xxrlff.exe87⤵PID:2980
-
\??\c:\nnhhbb.exec:\nnhhbb.exe88⤵PID:3624
-
\??\c:\pvvpd.exec:\pvvpd.exe89⤵PID:2908
-
\??\c:\rffxllf.exec:\rffxllf.exe90⤵PID:208
-
\??\c:\ntthhb.exec:\ntthhb.exe91⤵PID:1920
-
\??\c:\vvjjv.exec:\vvjjv.exe92⤵PID:2628
-
\??\c:\frrlfxr.exec:\frrlfxr.exe93⤵PID:3076
-
\??\c:\hbtnbt.exec:\hbtnbt.exe94⤵PID:1512
-
\??\c:\9tbbnt.exec:\9tbbnt.exe95⤵PID:3856
-
\??\c:\ppppv.exec:\ppppv.exe96⤵PID:2788
-
\??\c:\frrlfll.exec:\frrlfll.exe97⤵PID:2116
-
\??\c:\nhhbhn.exec:\nhhbhn.exe98⤵PID:4780
-
\??\c:\5ppjv.exec:\5ppjv.exe99⤵PID:3112
-
\??\c:\lrlrfrr.exec:\lrlrfrr.exe100⤵PID:5072
-
\??\c:\tnthhh.exec:\tnthhh.exe101⤵PID:1184
-
\??\c:\vdjjd.exec:\vdjjd.exe102⤵PID:1696
-
\??\c:\xxrfxrl.exec:\xxrfxrl.exe103⤵PID:2456
-
\??\c:\nnnhtt.exec:\nnnhtt.exe104⤵PID:1208
-
\??\c:\bhttbn.exec:\bhttbn.exe105⤵PID:4556
-
\??\c:\ppdvp.exec:\ppdvp.exe106⤵PID:3052
-
\??\c:\lxfxxxf.exec:\lxfxxxf.exe107⤵PID:1448
-
\??\c:\9xffxff.exec:\9xffxff.exe108⤵PID:3520
-
\??\c:\hhbnhn.exec:\hhbnhn.exe109⤵PID:4164
-
\??\c:\1dddv.exec:\1dddv.exe110⤵PID:1700
-
\??\c:\ddvpp.exec:\ddvpp.exe111⤵PID:1504
-
\??\c:\frxrlfx.exec:\frxrlfx.exe112⤵PID:3708
-
\??\c:\9thbtt.exec:\9thbtt.exe113⤵PID:2548
-
\??\c:\9dpjv.exec:\9dpjv.exe114⤵PID:4384
-
\??\c:\fxffffx.exec:\fxffffx.exe115⤵PID:4744
-
\??\c:\lxlllrr.exec:\lxlllrr.exe116⤵PID:4328
-
\??\c:\hhtnhh.exec:\hhtnhh.exe117⤵PID:1956
-
\??\c:\jvddd.exec:\jvddd.exe118⤵PID:2536
-
\??\c:\vppdd.exec:\vppdd.exe119⤵PID:5100
-
\??\c:\lxfrfrf.exec:\lxfrfrf.exe120⤵PID:4496
-
\??\c:\tbbbbb.exec:\tbbbbb.exe121⤵PID:4280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-